What can you do to secure your Internet of Things devices? Keep them off the internet.

Damian Duffy

Head of IoT at eir Business

Damian Duffy, Head of IoT at eir Business, examines the growing trend of Internet of Things devices being hijacked, recruited into a botnet, and used to perform cyberattacks. What can enterprises do to minimise their exposure to this threat.

Just over a year ago, the website of well-known security journalist Brian Kerbs was taken down in one of the largest Distributed Denial of Service (DDOS) attacks in history. The attack was traced back to a botnet called Mirai. The botnet was notable at the time due to its scale and the disturbing fact that it didn’t infect “traditional” computers, but rather it infected thousands of Internet of Things (IoT) devices, like web cams, thermostats and digital video recorders.

Since then, the source code for Mirai has become widely available and we have seen an increasing number of threats directed at weakly secured IoT devices. In some cases these botnets are even fighting with each other in order to gain and maintain control over hundreds of thousands of IoT devices.

Assembling an army of IoT devices

An army of IoT devices can be used for a number of tasks: DDOS attacks are certainly one, but Bitcoin mining may be another. We’re hearing reports about website owners harnessing the CPU power of their visitors in order to run their own digital currency (Bitcoin) mining scripts without the users’ knowledge or consent. It’s easy to see why hackers would turn to digital currency mining; if they can commandeer enough devices to run their mining scripts, they remove the costs of running their own datacentre mining operation – and make massive profits.

Hajime, one of the largest botnets currently in existence, has over 300,000 infected hosts, but has yet to reveal its purpose. Disturbingly, botnets like Hajime are made up of a large number of Digital Video Recorders (DVR), webcams and routers. The risk that data from these devices could be used in a more surgical way to attack specific targets not just in the virtual world but in the real one is a scary proposition; the security camera system you bought to monitor your premises could be used to monitor staff movements and your network router could intercept or redirect traffic to gain access to sensitive information.

How are these devices hijacked?

Most of these devices are commandeered because the front door has been left ajar, i.e. they use default passwords or the telnet ports are left open. And, as the growth of IoT continues, new vulnerabilities will be discovered that may be less obvious, such as protocol or underlying kernel security bugs.

When you combine these possible vulnerabilities with the nature of IoT devices, you’re looking at a very real threat.

• Large number of devices
• Multi-year service lifespan
• Very low (or no) bandwidth for updates
• Sometimes rushed to market
• Sometimes using off the shelf multi-purpose compute modules
• Running an OS with more services active than required

How can you secure your IoT devices?

One way to address this risk is to take your device off the internet. Internet of Things search engine shodan.io makes it easy to find “things” (such as webcams) sitting on the internet. By removing any direct access to the internet, you can introduce another layer to your security model. This doesn’t mean you can’t output the data stream from your sensors to the web, it just means you do so via appropriate mediation infrastructure and never directly from the IoT device. You’re essentially letting your network do some of the heavy lifting by segregating your traffic, rather than relying entirely on trying to harden a device.

If you do require access to public infrastructure, there is the option of applying whitelists to your internet connection. Generally speaking IoT applications don’t need access to a wide range of resources, so whitelisting is easy and effective. And because the Access Control Lists (ACLs) are managed from within the network, even if someone infects an end-point, they can’t add an exception to the rules. Which means they will run into a dead end.

It might sound counter-intuitive to remove your Internet of Things devices from the internet, but the threats enterprises are facing are real and imminent. By shifting the goal post a little, and using a private, secure network for your IoT devices, you can minimise your exposure to the threat of cybercrime.

Damian Duffy is Head of Mobility with eir Business where he works on machine-to-machine infrastructure projects. For more information about eir’s suite of mobility solutions, contact damian.duffy@eir.ie. If you would like to read more blog posts about mobility visit the eir Business blog.